Following a groundbreaking cryptographic attack that hijacked the platform Microsoft uses to deliver updates to millions of large customers, the company has issued changes designed to prevent similar exploits from working again.

The company's Windows Server Update Services, which businesses and organizations use to deliver patches to large fleets of PCs, will no longer work through network proxies that use SSL deep packet content inspection, Microsoft representatives said in an advisory published Friday afternoon. Such proxies act as man-in-the-middle devices that can peek inside encrypted traffic as it travels from a local network onto the Internet. Enterprises that have inspection servers in place will have to create exception rules so all Windows Update traffic is bypassed.

The changes are designed to blunt the kind of attacks carried out by Flame, the sophisticated espionage software that infected PCs in Iran and other Middle Eastern countries. As revealed earlier this week, the malware hijacked the Windows Update process to spread from machine to machine within a local network. By hacking a Microsoft licensing service to sign malware stored on one infected computer, Flame could disguise the malicious payload as a Windows update that should be installed by other computers on the same network.

Microsoft has also provided cryptographic hashes that will accompany all future Windows Updates. It is signed with a private key that only Microsoft possesses, making it infeasible for attackers to include the same certification.

43 Reader Comments

I don't think the phrase 'theoretically impossible' is being used well here. It's always 'theoretically possible' to compute a private key from the public key. It's just not actually possible given the practical limits imposed by reality.

Microsoft has also provided cryptographic hashes that will accompany all future Windows Updates. It is signed with a private key that only Microsoft possesses, making it theoretically impossible for attackers to include the same certification.

Not trying to flame, but why wasn't this done before? If they were so quickly and non-intrusively able to make these changes now, what was the reasoning for not having done it from the start to make the system to as secure as possible? Are there trade-offs? Is it not as low impact as it may seem?

I don't think the phrase 'theoretically impossible' is being used well here. It's always 'theoretically possible' to compute a private key from the public key. It's just not actually possible given the practical limits imposed by reality.

Good point. I changed to say simply "infeasible." Thanks for the suggestion.

Microsoft has also provided cryptographic hashes that will accompany all future Windows Updates. It is signed with a private key that only Microsoft possesses, making it theoretically impossible for attackers to include the same certification.

Not trying to flame, but why wasn't this done before? If they were so quickly and non-intrusively able to make these changes now, what was the reasoning for not having done it from the start to make the system to as secure as possible? Are there trade-offs? Is it not as low impact as it may seem?

Quote:

Enterprises that have inspection servers in place will have to create exception rules so all Windows Update traffic is bypassed

Microsoft has also provided cryptographic hashes that will accompany all future Windows Updates. It is signed with a private key that only Microsoft possesses, making it theoretically impossible for attackers to include the same certification.

Not trying to flame, but why wasn't this done before? If they were so quickly and non-intrusively able to make these changes now, what was the reasoning for not having done it from the start to make the system to as secure as possible? Are there trade-offs? Is it not as low impact as it may seem?

A number of reasons if I had to guess. "From the start" for Windows update traces back to Windows 98. Different world back then. The vast majority of updates get applied automatically, with no user intervention, and are signed besides, which until now was a good method of proving authenticity. There was never a hue and cry for this, even from security researchers, that I can tell. Now that it has proven a viable attack vector, they're responding by providing extra methods of authentication. You can always say there is more that needs to be done, but after 15 years and hundreds of billions of delivered updates, the threat model seemed to be well understood. Flame proved there was a new vector, so changes were made to address that. The fight goes on.

Microsoft has also provided cryptographic hashes that will accompany all future Windows Updates. It is signed with a private key that only Microsoft possesses, making it theoretically impossible for attackers to include the same certification.

Not trying to flame, but why wasn't this done before? If they were so quickly and non-intrusively able to make these changes now, what was the reasoning for not having done it from the start to make the system to as secure as possible? Are there trade-offs? Is it not as low impact as it may seem?

Quote:

Enterprises that have inspection servers in place will have to create exception rules so all Windows Update traffic is bypassed

How many admins with deep-packet-inspection at their edge let their users and devices get updates directly from Windows Update instead of using local WSUS instances that they control? Admins are big boys and girls, they can probably handle this change just fine.

I'm certainly no expert in these matters, but an interesting question comes to mind: Could some group like, say, the NSA, without the help of s/w or h/w mfgs, figure out a way to get into anyone's computer connected to the internet, regardless of whatever current defenses might exist, and then have access to whatever is on that computer and grab, change or delete it?

This does portend an inevitable Big Brother, no? Or is there an absolute way to keep this from ever happening? Is there always going to be the eternal tit for tat, or will we ever be able to just relax?

It should be stated this is only an issue for networks that deploy SSL DPI, not DPI. Standard DPI can not look at encrypted traffic. Most mid to high range firewalls support DPI out of the box, but SSL DPI is often a much more expensive option, not just for licensing but in performance impact as well...

Shutting the gate after the horse has bolted. Flame may be "contained" but it was released years ago. What about the stuff in the wild that is newer than Flame. Are they looking for that as well?

3/10, needs more effort. Suggestions: Include "M$" and somehow manage to add something about apple or *nix.

brentbb00 wrote:

I'm certainly no expert in these matters, but an interesting question comes to mind: Could some group like, say, the NSA, without the help of s/w or h/w mfgs, figure out a way to get into anyone's computer connected to the internet, regardless of whatever current defenses might exist, and then have access to whatever is on that computer and grab, change or delete it?

Well I think we can all agree on the theorem that modern software, especially OSes, are complex enough that it's impossible for them ever to be bug free (cf look at how much NASA pays per single line of code because of all their additional security measures and they *still* have catastrophic software bugs in their code). So.. sure it's possible. But I'd think it much more likely that there are backdoors already implemented in some software - and worse - hardware. Against the latter not even running linux is any help - you'd need opensource hardware.

The only 100% certain way to avoid that is to not connect the computer to anything from the outside world, especially not the internet (USB sticks are not a good idea either though).

Or is there an absolute way to keep this from ever happening? Is there always going to be the eternal tit for tat, or will we ever be able to just relax?

Yah never connect your system to the internet....OK I know it sounds like a joke but that is the only 100% bullet proof method of insuring your system will not be compromised via a network.

the other way is to differentiate your system as much as possible from everyone else. The more different (SP?) the system is the less a hacker\cracker can assume about how the system works. The problem is most people run either Windows XP or Windows 7 which means out of the box they can assume a whole hell of a lot. *shrugs* Its like cancer. You may get it, or you may not throughout your lifetime. Take a little care but don't get bent out of shape over it.

Use a nonstandard browser (i.e anything other the IE.), don't run the account with administrative rights, use a good firewall, use a known good antivirus package that looks for questionable behavior as well as using the traditional definition detection method (That is becoming less and less reliable BTW.), Use web based mail, make sure you have strong passwords, try and keep your system behind a router when possible, always stay up to date on system updates, download software only from credible sources, and use HTTPS when possible. And yes even stay up to date on the latest revision of the OS be it Windows, Linux, OS X. *shrugs* And you would still be compromised by Flame. Personally all my critical and private "stuff" is done inside a hardened VM with multiple levels of security between the host OS and the VM which isn't running all the time, but that is probably overkill for most.

Technically, if you ask Google or certain other people, IE is now the nonstandard browser. You should be avoiding Chrome instead.

(That's mostly sarcasm by the way. It's more important to stay up to date than avoid one browser or another. IE9 is not easy to p0wn, so saying avoid it is really saying "avoid IE6" which goes back to "keep your shit up-to-date".)

(That's mostly sarcasm by the way. It's more important to stay up to date than avoid one browser or another. IE9 is not easy to p0wn, so saying avoid it is really saying "avoid IE6" which goes back to "keep your shit up-to-date".)

Yep, basically siliconaddicts argument boils down to security through obscurity. This *can* work against large scale attacks, but if someone is really interested in getting into one specific system, this mostly means that you're using a less well tested system that probably contains much more unknown security vulnerabilities. So it does have its downsides.

Technically, if you ask Google or certain other people, IE is now the nonstandard browser. You should be avoiding Chrome instead.

(That's mostly sarcasm by the way. It's more important to stay up to date than avoid one browser or another. IE9 is not easy to p0wn, so saying avoid it is really saying "avoid IE6" which goes back to "keep your shit up-to-date".)

Meh. Since it ships with Windows its "standard". But arguable. And frankly at this point most of the browser are secure enough. Its mostly nip picking over security. I still twitch about using IE because of all those years of supporting IE6 and 3AM patch testing only to have MS release another round of patches for the patches that opened up new holes. *twitch*

[tin hat] That was a quick patch! Does anyone here feels that Microsoft might have known about Flame for a while BUT they did not patched that because someone ordered them to not patch it unless it was all over the news?[/tin hat]

(That's mostly sarcasm by the way. It's more important to stay up to date than avoid one browser or another. IE9 is not easy to p0wn, so saying avoid it is really saying "avoid IE6" which goes back to "keep your shit up-to-date".)

Yep, basically siliconaddicts argument boils down to security through obscurity. This *can* work against large scale attacks, but if someone is really interested in getting into one specific system, this mostly means that you're using a less well tested system that probably contains much more unknown security vulnerabilities. So it does have its downsides.

Flame IS a large scale attack. Its a scatter gun method by releasing it onto a network and seeing what it can infect. That said. The tips are just good practices. I could make a list about as long as my arm how to harden Windows further, some of which is more complicated then your average user is going to be capable of doing. See netsh tweaking as an example.

PS- I agree that security by obscurity is a bad approach to security.....wait for it.....by itself. I never suggested that SBO on its own was a magic bullet. But its a layer of security. You add another and another and another and another and it starts to add up into a bullet proof vest. But even a 50 cal can make short work of a vest. Again there is no such thing as 100% secure other then being off a network in a secured environment.

It should be stated this is only an issue for networks that deploy SSL DPI, not DPI. Standard DPI can not look at encrypted traffic. Most mid to high range firewalls support DPI out of the box, but SSL DPI is often a much more expensive option, not just for licensing but in performance impact as well...

Thanks for pointing this out, danstl. I've updated the article to include this important distinction.

Shutting the gate after the horse has bolted. Flame may be "contained" but it was released years ago. What about the stuff in the wild that is newer than Flame. Are they looking for that as well?

3/10, needs more effort. Suggestions: Include "M$" and somehow manage to add something about apple or *nix.

I'm confused but what are you saying here? I'm not bashing Microsoft, I'm arguing that reactive security is not going to be able to deal with these issues in the future and we need to focus on proactive security. Looking at what can be theoretically done to intrude upon systems and fixing it before the problem arrives.

Can someone explain to me how can Microsoft detects that you're doing DPI on Windows Services' transmissions ? I don't know how DPI works, but I fail to see how the sender can detect the packets have been inspected by the receiver ? And wouldn't it be possible to let packets through but store a copy for later DPI ?

Shutting the gate after the horse has bolted. Flame may be "contained" but it was released years ago. What about the stuff in the wild that is newer than Flame. Are they looking for that as well?

3/10, needs more effort. Suggestions: Include "M$" and somehow manage to add something about apple or *nix.

I'm confused but what are you saying here? I'm not bashing Microsoft, I'm arguing that reactive security is not going to be able to deal with these issues in the future and we need to focus on proactive security. Looking at what can be theoretically done to intrude upon systems and fixing it before the problem arrives.

Well MS is already doing that - they have some of the foremost experts on security and they certainly don't let them sit around until an exploit becomes known. Still learning from one exploit to stop an attack is certainly better than ignoring it.

They have a well known model for secure development and are using proactive security measures like ASLR, DEP, secure boot already. But really OSes are just too complicated to assume 100% safety.

5. Patched Flaw Must Use Man-In-Middle AttackMore good news is that Flame's certificate spoofing attack only works after a PC has already been compromised. "In all cases, Windows Update can only be spoofed with an unauthorized certificate combined with a man-in-the-middle attack," said Mike Reavey, the senior director of Microsoft's security and research center, in a Monday blog post. Even so, the related threat remains severe, as any such attack could automatically install malware of an attacker's choice on a targeted PC. Accordingly, Reavey promised that "the next action of our mitigation strategy is to further harden Windows Update," and said further details would be released shortly. http://www.informationweek.com/news/sec ... /240001490~~~if the attack only works on a PC that has already been compromised then the attack is completely trivial.

How many admins with deep-packet-inspection at their edge let their users and devices get updates directly from Windows Update instead of using local WSUS instances that they control? Admins are big boys and girls, they can probably handle this change just fine.

Can someone explain to me how can Microsoft detects that you're doing DPI on Windows Services' transmissions ? I don't know how DPI works, but I fail to see how the sender can detect the packets have been inspected by the receiver ? And wouldn't it be possible to let packets through but store a copy for later DPI ?

Generally when one establishes a SSL connection, a hand-shake using certificates is required. Admins can add their own trusted root certs to Windows and install that on a proxy. When Windows Updates attempts to connect back to Microsoft, the proxy uses the trusted root cert and says "this connection is trusted". Windows update doesn't care that it's connecting back to Microsoft, but that it's connecting to a "trusted" computer.

The proxy itself doesn't actually do any validation against the connection it's going out to other than it's encrypted. So admins many times like to go out of their way to make security worse for themselves because they're idiots and should have installed a WSUS server locally.

Malware takes advantage of the compromised proxy, which masks the error by blindly trusting another cert while claiming the connection is to a "trusted" computer, then uploads its own payload.

From the sounds of it, Windows Update will now not only validate that the connection is to a "trusted" computer, but that it's to an actual Microsoft server. This will break the man-in-the-middle SSL DPI.

I'm certainly no expert in these matters, but an interesting question comes to mind: Could some group like, say, the NSA, without the help of s/w or h/w mfgs, figure out a way to get into anyone's computer connected to the internet, regardless of whatever current defenses might exist, and then have access to whatever is on that computer and grab, change or delete it?

This does portend an inevitable Big Brother, no? Or is there an absolute way to keep this from ever happening? Is there always going to be the eternal tit for tat, or will we ever be able to just relax?

I think the safest thing to do is relax and assume that your machine has already or can be at any time, completely pwned. That is unless it is not connected to the internet by any means, ever. No updates, nuttin never. Even then, the janitor or your daughter are probably using it for their webcam porn server when you go for tea and one of those delish crumb cakes which fill your keyboard till the space bar doesn't work right. Hope this helped.

Just installed the update on my WSUS server. It comes up as a SP2. One other note: so far as I can tell this also requires an update to the Windows Update client, as that was the first thing that popped up on my clients right after SP2 was installed. It looks like MS did a bit more than just update the server end.

Can someone explain to me how can Microsoft detects that you're doing DPI on Windows Services' transmissions ? I don't know how DPI works, but I fail to see how the sender can detect the packets have been inspected by the receiver ? And wouldn't it be possible to let packets through but store a copy for later DPI ?

Short answer: SSL DPI depends on adding the organization's certificate authority(CA) to the client machine's trusted root CA list. Until now, Microsoft Update verified the certificate against the trusted root CA - but now that's changed to a hard-coded Microsoft certificate, so SSL DPI won't work anymore.

Long answer:SSL works like this: The traffic is encrypted, and only client & server can decrypt it - no one in the middle can. Also, to verify the server's authenticity, the client gets a certificate from the server, and checks that the certificate is issued from a CA in the client's trusted root CA list (See [url="http://www.youtube.com/watch?v=Z7Wl2FW2TcA"]SSL And The Future Of Authenticity[/url] for criticism on this method...)

SSL DPI works like this:1. Client tries to connect to server via firewall.2. Firewall connect to the server on behalf of the client.3. Firewall generate ("forges") a certificate with the same name as the server's certificate, using the organization's CA, and completes the connection to the client.4. Client gets the "forged" certificate and trusts it, since the organization's admins added the organization's CA to the client's trusted root CA list*.5. Now client communicates with the firewall, which forwards the communication to the server. The firewall can see the unencrypted traffic and "inspect" it.

* This worked for Microsoft Update - but now, Microsft Update trusts only a hardcoded CA(s), so the organization CA won't work anymore.

Can someone explain to me how can Microsoft detects that you're doing DPI on Windows Services' transmissions ? I don't know how DPI works, but I fail to see how the sender can detect the packets have been inspected by the receiver ? And wouldn't it be possible to let packets through but store a copy for later DPI ?

Short answer: SSL DPI depends on adding the organization's certificate authority(CA) to the client machine's trusted root CA list. Until now, Microsoft Update verified the certificate against the trusted root CA - but now that's changed to a hard-coded Microsoft certificate, so SSL DPI won't work anymore.

Long answer:SSL works like this: The traffic is encrypted, and only client & server can decrypt it - no one in the middle can. Also, to verify the server's authenticity, the client gets a certificate from the server, and checks that the certificate is issued from a CA in the client's trusted root CA list (See [url="http://www.youtube.com/watch?v=Z7Wl2FW2TcA"]SSL And The Future Of Authenticity[/url] for criticism on this method...)

SSL DPI works like this:1. Client tries to connect to server via firewall.2. Firewall connect to the server on behalf of the client.3. Firewall generate ("forges") a certificate with the same name as the server's certificate, using the organization's CA, and completes the connection to the client.4. Client gets the "forged" certificate and trusts it, since the organization's admins added the organization's CA to the client's trusted root CA list*.5. Now client communicates with the firewall, which forwards the communication to the server. The firewall can see the unencrypted traffic and "inspect" it.

* This worked for Microsoft Update - but now, Microsft Update trusts only a hardcoded CA(s), so the organization CA won't work anymore.

Shutting the gate after the horse has bolted. Flame may be "contained" but it was released years ago. What about the stuff in the wild that is newer than Flame. Are they looking for that as well?

3/10, needs more effort. Suggestions: Include "M$" and somehow manage to add something about apple or *nix.

I'm confused but what are you saying here? I'm not bashing Microsoft, I'm arguing that reactive security is not going to be able to deal with these issues in the future and we need to focus on proactive security. Looking at what can be theoretically done to intrude upon systems and fixing it before the problem arrives.

Retroactive security means a lot, actually. You look at the worst malware to pop up, they're often not only known exploits but it's only exploiting unpatched machines. Now that this exploit is known, someone could write a malicious piece of malware that's not just aimed at the Iranians, but at everyone (it's much easier to use someone else's work than it is to create it from scratch). Not patching it would be insane, so they patched it.

And yes, Microsoft are looking for holes. However if you expect that Microsoft (or anyone else) will be ever able to completely secure an OS that's meant to be a heavily connected communications machine, you're not attached strongly enough to reality. This was a really obscure attack carried out by a highly skilled, professional team of people. The certificate that was exploited shouldn't have existed like it did, but hindsight is always 20/20. Up until 2008 there wasn't really an example of MD5 being exploitable in this fashion. Eventually SHA-1 will be broken and Microsoft will have to patch all sorts of things. If someone invents an never before thought of attack on certificates, this could happen again easily enough.

I'm certainly no expert in these matters, but an interesting question comes to mind: Could some group like, say, the NSA, without the help of s/w or h/w mfgs, figure out a way to get into anyone's computer connected to the internet, regardless of whatever current defenses might exist, and then have access to whatever is on that computer and grab, change or delete it?

This does portend an inevitable Big Brother, no? Or is there an absolute way to keep this from ever happening? Is there always going to be the eternal tit for tat, or will we ever be able to just relax?

I think it all depends on how paranoid you are and how often you check your logs. Pretty much any attack vector can be closed, but in doing so you also limit your functionality, or at least that what a number of security guys Ive talked to have said.

Im not sure if having a big brother state is actually in the states best interests though. If any PC can be connected to and controlled AND the tracks and traces of said connection be removed, would it not provide plausible deniability to each and every citizen with regards to the content of their HDD's and even the online actions taken by their IP/MAC address?

[tin hat] That was a quick patch! Does anyone here feels that Microsoft might have known about Flame for a while BUT they did not patched that because someone ordered them to not patch it unless it was all over the news?[/tin hat]

Why does it take a tinfoil hat to think that the NSA, of all groups, might actually be up to some really sneaky shit? And, that they might use their influence on companies like MS, Apple and others? Seriously, why do ideas like that get relegated to conspiracy theory status when in reality its the bloody NSA, they SPY on people and are an arm of the government. Companies like MS have no choice but to comply with them.

[tin hat] That was a quick patch! Does anyone here feels that Microsoft might have known about Flame for a while BUT they did not patched that because someone ordered them to not patch it unless it was all over the news?[/tin hat]

Why does it take a tinfoil hat to think that the NSA, of all groups, might actually be up to some really sneaky shit? And, that they might use their influence on companies like MS, Apple and others? Seriously, why do ideas like that get relegated to conspiracy theory status when in reality its the bloody NSA, they SPY on people and are an arm of the government. Companies like MS have no choice but to comply with them.

Relegating those people to a category of kooks and crazies keeps the lie alive. Ignorance is bliss and I think the general populace would rather look the other way than think for a second their government is involved in these actions.